Cyber insurance

Because the cyber insurance market in many countries is relatively small compared to other insurance products, its overall impact on emerging cyber threats is difficult to quantify. As the impact to people and businesses from cyber threats is also relatively broad when compared to the scope of protection provided by insurance products, insurance companies continue to develop their services. As well as directly improving security, cyber insurance is beneficial in the event of a large-scale security breach. Insurance provides a smooth funding mechanism for recovery from major losses, helping businesses to return to normal and reducing the need for government assistance. As a side benefit, many cyber-insurance policies require entities attempting to procure cyber insurance policies to participate in an IT security audit before the insurance carrier will bind the policy. This will help companies determine their current vulnerabilities and allow the insurance carrier to gauge the risk they are taking on by offering the policy to the entity. By completing the IT security audit the entity procuring the policy will be required, in some cases, to make necessary improvements to their IT security vulnerabilities before the cyber-insurance policy can be procured. This will in-turn help reduce risk of cyber crime against the company procuring cyber insurance. Finally, insurance allows cyber-security risks to be distributed fairly, with the cost of premiums commensurate with the size of expected loss from such risks. This avoids potentially dangerous concentrations of risk while also preventing free-riding. ==History ==

According to Josephine Wolff’s research into the history of cyber insurance, its origins trace back to an April 1997 International Risk Insurance Management Society convention at which Steven Haase presented the launch of the first cyber insurance product, including first and third party coverages. Haase first came up with the concept of cyber insurance a few years earlier and had discussed it with various industry colleagues at times, but this 1997 event marked a breakthrough moment when the first cyber insurance policy and underwriting platform were actually launched. The event resulted in the creation of the first policy designed to focus on the risks of internet commerce, which was the Internet Security Liability (ISL) policy, developed by Haase and underwritten by AIG. Around this same time, in 1999, David Walsh founded CFC Underwriting in the United Kingdom, a company which treats cyber as one of its main focus areas. Chris Cotterell founded Safeonline around the same time, which soon became another significant player in the cyber insurance space. The early meeting between Haase and 20 industry colleagues in Hawaii is now commonly referred to as the “Breach on the Beach” and is considered a pivotal moment at which cyber insurance was first recognized and celebrated. After a significant malware incident in 2017, however, Reckitt Benckiser released information on how much the cyberattack would impact financial performance, leading some analysts to believe the trend is for companies to be more transparent with data from cyber incidents. Purchases of cyber insurance has increased due to the rise in internet-based attacks, such as ransomware attacks. Government Accountability Office, "Insurance clients are opting in for cyber coverage—up from 26% in 2016 to 47% in 2020. At the same time, U.S. insurance entities saw the costs of cyberattacks nearly double between 2016 and 2019. As a result, insurance premiums also saw major increases." ==Current need ==

A key area to manage risk is to establish what is an acceptable risk for each organization or what is 'reasonable security' for their specific working environment. Legislation In 2022, Kentucky and Maryland enacted insurance data security legislation based upon the National Association of Insurance Commissioners (“NAIC”) Insurance Data Security Model Law (MDL-668). Maryland's SB 207 takes effect on October 1, 2023. Kentucky's House Bill 474 goes into effect on January 1, 2023. ==Existing issues ==

During 2005, a “second generation" of cyber-insurance literature emerged targeting risk management of current cyber-networks. The authors of such literature link the market failure with fundamental properties of information technology, specially correlated risk information asymmetries between insurers and insureds, and inter-dependencies. According to Josephine Wolff, cyber insurance has been "ineffective at curbing cybersecurity losses because it normalizes the payment of online ransoms, whereas the goal of cybersecurity is the opposite—to disincentivize such payments to make ransomware less profitable." Ambiguities in terms FM Global in 2019 conducted a survey of CFOs at companies with over $1 billion in turnover. The survey found that 71% of CFOs believed that their insurance provider would cover "most or all" of the losses their company would suffer in a cyber security attack or crime. Nevertheless, many of those CFOs reported that they expected damages related with cyber attacks that are not covered by typical cyber attack policies. Specifically, 50% of the CFOs mentioned that they anticipated after a cyber attack a devaluation of their company's brand while more than 30% expected a decline in revenue. War exclusion clauses Like other insurance policies, cyber insurance typically includes a war exclusion clause - explicitly excluding damage from acts of war. While the majority of cyber insurance claims will relate to simple criminal behaviour, increasingly companies are likely to fall victim to cyberwarfare attacks by nation-states or terrorist organizations - whether specifically targeted or simply collateral damage. After the US and UK, governments characterized the NotPetya attack as a Russian military cyber-attack insurers are arguing that they do not cover such events. == Insurance Linked Securities for Cyber Risk Management ==

In a recent academic effort, researchers Pal, Madnick, and Siegel from the Sloan School of Management at the Massachusetts Institute of Technology were the first to analyze the economic feasibility of cyber-CAT bond markets. They applied economic theory and data science to propose conditions under which is it economically efficient to either have re-insurance markets transferring risk (without the existence of CAT bond markets), CAT bond markets transferring risk (in the presence of re-insurance markets), or self-insurance markets (in the absence of re-insurance and CAT bond markets) to cover residual cyber-risk. ==Pricing==

As of 2019, the average cost of cyber liability insurance in the United States was estimated to be $1,501 per year for $1 million in liability coverage, with a $10,000 deductible. The average annual premium for a cyber liability limit of $500,000 with a $5,000 deductible was $1,146, and the average annual premium for a cyber liability limit of $250,000 with a $2,500 deductible was $739. In addition to location, the main drivers of cost for cyber insurance include the type of business, the number of credit/debit card transactions performed, and the storage of sensitive personal information such as date of birth and Social Security numbers. == Regulatory drivers ==

Regulatory requirements for data protection and breach notification have been significant drivers of cyber insurance adoption. In the healthcare sector, the Health Insurance Portability and Accountability Act (HIPAA) requires covered entities and business associates to implement security safeguards for electronic protected health information and to notify affected individuals and the Department of Health and Human Services (HHS) when breaches occur. HIPAA enforcement actions have resulted in settlements exceeding $140 million since 2003, with individual penalties reaching $16 million, creating financial incentives for healthcare organizations to carry cyber insurance policies that cover regulatory fines and breach response costs. The 2024 Change Healthcare cyberattack, which affected approximately 100 million individuals and caused billions of dollars in damages across the healthcare system, highlighted the scale of financial exposure facing healthcare organizations and intensified scrutiny of cyber insurance coverage adequacy in the sector. In the European Union, the General Data Protection Regulation (GDPR) similarly drives cyber insurance demand through its requirements for breach notification within 72 hours and potential fines of up to 4% of annual global turnover. ==References==